[lug] openssl vulnerability
D. Stimits
stimits at attbi.com
Sat Sep 21 10:06:04 MDT 2002
Just thought I'd pass something along that I've seen some notice of
lately. There is a vulnerability in non-upgraded openssl package, which
is not really news. However, there were a couple of interesting points I
found that might be useful. One is that "ELF_SLAPPER.A" seems to have as
its purpose distributed DoS. Second, file ".bugtraq.c" will be found in
/tmp/ if the worm is on the system. Third, it only has the privileges of
the Apache user. Fourth, and the part which might be most interesting,
is that the worm first uses an invalid GET request on port 80 to
determine if this is an Apache machine; then it hits port 443 to do what
it does. If you see logs of someone hitting port 80 with an erroneous
GET request, then port 443 immediately after, probably you are being
tested for attack. Also, I recall seeing somewhere a claim that
disabling SSL2 would solve this, but it seems that SSL3 has a slightly
different means of attacking (all of course on outdated openssl).
D. Stimits, stimits AT attbi.com
More information about the LUG
mailing list